[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Same 3 Ports and Never ANY Results #817

Open
spacezero20 opened this issue Mar 3, 2024 · 3 comments
Open

Same 3 Ports and Never ANY Results #817

spacezero20 opened this issue Mar 3, 2024 · 3 comments

Comments

@spacezero20
Copy link
spacezero20 commented Mar 3, 2024

Maybe it's because I'm new to bug bounty hunting/pentesting, but no matter what I do, I seem to get the same ports scanned with no results to show in the report. I have tried the following modules to no success (my screenshot here shows 1 example of its failure):

subdomain_scan
subdomain_takeover_vuln
admin_scan
wordpress_version_scan

What am I missing or doing wrong? How do I use this tool correctly, or is it currently just broken?

Because after completing the scan shown in the photograph, the report showed nothing of value (to my knowledge anyway) and almost no information altogether.

{"timeout": 3.0, "host": "arkoselabs.com", "ports": "443", "method": "tcp_connect_send_and_receive", "response": {"ssl_flag": false, "conditions_results": {"http": ["HTTP/1.1 400", "Content-Length: 915", "Content-Type: ", "Server: "]}}}

That's as much as I figured out from the wordpress_version_scan report ^


OS: Kali Linux

OS Version: kali-linux-2023.4

Python Version: 3.11.8

nettacker_fail

@Captain-T2004
Copy link
Contributor

Ok so a basic idea of why you are seeing the same ports after any scans is this, so how the tool works is it first perform a port_scan on the given target(s) and determine the open ports on the target(s). After that it loads your selected module and try to scan according to those modules, for example in this case the wordpress_version_scan sends a request to the "/wp-admin/install.php" endpoint on the specified target and on all the different ports that are given in the module(80,443 in this case). After that it checks for the response and try to match the provided conditions in the module to the response. If the conditions are satisfied then it outputs it as successful scan and show the output in the graph along with the module name, port and target. If not then it only shows output of the other scans that were successful. In your case it was unable to match the required conditions to get a successful response so it only shows the output of the successful scan i.e. port_scan. I will look into this scan module to find why it wasn't working for you, but usually if it detects something it will show you the output.

PS: You can look at how the scans are being done by turning on the verbose output using the -v argument.

Hope this helps.

@Captain-T2004
Copy link
Contributor

Took me a while to figure it out but i found out why it was not working. The problem was a missing "www", So as the target you put in didn't contain a www the requests sent to the target didn't contain it either and due to some reason the response is altered(in this case there is no response from the target if the end point is accessed without the www in the url). I have tested the wordpress_version_scan module and can confirm it works. I am attaching the results below.

Command used: "python3 nettacker.py -i https://www.arkoselabs.com -m wordpress_version_scan"
OS: Pop!_OS 22.04 LTS x86_64

Output:

image

@securestep9
Copy link
Collaborator

The module and Nettacker works as designed. By asking to scan https://arkoselabs.com Nettacker is connecting to the precise target and that target does not have wordpress - the response from the server is a 301 redirect which Nettacker is not following intentionally (because that would take the scan to a different target taking the pen test/scan "out of scope" (sorry I have to explain this: "staying in scope of an engagement" a concept familiar to people who perform penetration testing/bug bounty ad it means that the security tester are only testing what they are explicitly allowed/authorised to test).

If you wish to scan all subdomains of arkoseblabs.com the command you should have used:

python nettacker.py --skip-service-discovery -i arkoselabs.com -m wordpress_version_scan -s

the
-s

means "run all the modules listed for all subdomains of the target"

Before scanning any target with Nettacker make sure you have explicit permission (either a security penetration testing contract/agreement or being in-scope of the Bug Bounty programme which allows to run security scans on target subdomains/IP addresses

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants